phonebo.cx
New Member
- Joined
- Jul 25, 2016
- Messages
- 17
- Reaction score
- 3
I'm sorry it's taken so long to post more about this, but, we have our reasons. Hopefully this post will expand on who we are, and what we want to do.
Firstly, a bit of background about us. There's 4 of us, and we refer to ourselves, and you may refer to us, as dev1, dev2, dev3 and dev4. I'm dev4. I'm the only one who is a native English speaker and I asked to be the one that does most of the public announcements.
Dev1 and Dev3 are from India, and none of us know where Dev2 is from (I'm guessing China, just because of some of his/her commits). I'm from the US, and I'm the one that started this and wanted us to be Anonymous.
Can you try to guess who we are? Sure. We'll never admit it! However, there may be a time in the future, when we DO need to publicly verify who we are. In that case, you will be able to trust any message signed by bitcoin ID 1ezbaYZnCF7NX7egSa5EDPvgoCjgERPdL - this is confirmed by our twitter here:
How did we meet? In IRC and various other anonymous hangouts, where we discovered we all shared a common interest in VoIP!
Why so much secrecy? That's the big question. There's a lot of things that are scary in VoIP. There's indemnities, E911, spam, patents, trolls, lawsuits, and a lot of other things that we just don't want to get involved in. The easiest way to not get involved in it is to not tell anyone who we are. As we all are large fans of Open Source, and we have no interested in making of money, we don't feel any need to make ourselves public. (kat.cr was exposed because of his money trail, for example!) We hope our code will speak for us.
What are we planning on doing? We've been gifted some AWS resources that will cover our first stage.
The first part is taking FreePBX 13 and making sure that there are no hidden traps inside it. We have discovered a couple of hooks as part of our original brief security audit that are used as part of the (we assume) sysadmin module, but we want to investigate it further.
The second part is setting up a new mirror server and making sure it keeps up to date with the Schmooze servers. We have already written some sample code for this (it seems very simple), but making it happen automatically is going to be the hard part.
Luckily for us, git is very smart for these sort of things, and dev2 knows everything about it, and will be helping with those parts.
From there, we shall be being good open source community members, and sending our changes back as pull requests to Schmooze, to see if they take them! I'm sure that'll be funny to watch, if they refuse them.
One of the discussions we've had internally is what to do about module signing. This is another reason for us to be anonymous. We strongly agree that module signatures are a great idea. We strongly disagree with Sangoma being the only people who can sign keys to produce modules. So one of the things we'll be doing is making sure that multiple 'root' keys can be used. At the moment, only one key is hard-coded in there, which is the Sangoma key. One of our first pull requests will be to make that master key replaceable, and appendable.
This gets into the point that Sangoma are making, that they may be liable if someone does bad stuff with a signed key. That's not a problem for us, we don't care. We're anonymous! Who are you going to sue? Ghostbusters!
That was the end of the document we were all working on, and if you have any questions, please feel free to ask them here, on twitter (@phonebocx) or on the FreePBX Forums (we have a thread there - community.freepbx.org/t/36132/ that you may read).
We're all human, so if we do give out conflicting information, please forgive us, and make sure you ask for clarification.
Thanks!
The phonebo.cx team.
Firstly, a bit of background about us. There's 4 of us, and we refer to ourselves, and you may refer to us, as dev1, dev2, dev3 and dev4. I'm dev4. I'm the only one who is a native English speaker and I asked to be the one that does most of the public announcements.
Dev1 and Dev3 are from India, and none of us know where Dev2 is from (I'm guessing China, just because of some of his/her commits). I'm from the US, and I'm the one that started this and wanted us to be Anonymous.
Can you try to guess who we are? Sure. We'll never admit it! However, there may be a time in the future, when we DO need to publicly verify who we are. In that case, you will be able to trust any message signed by bitcoin ID 1ezbaYZnCF7NX7egSa5EDPvgoCjgERPdL - this is confirmed by our twitter here:
How did we meet? In IRC and various other anonymous hangouts, where we discovered we all shared a common interest in VoIP!
Why so much secrecy? That's the big question. There's a lot of things that are scary in VoIP. There's indemnities, E911, spam, patents, trolls, lawsuits, and a lot of other things that we just don't want to get involved in. The easiest way to not get involved in it is to not tell anyone who we are. As we all are large fans of Open Source, and we have no interested in making of money, we don't feel any need to make ourselves public. (kat.cr was exposed because of his money trail, for example!) We hope our code will speak for us.
What are we planning on doing? We've been gifted some AWS resources that will cover our first stage.
The first part is taking FreePBX 13 and making sure that there are no hidden traps inside it. We have discovered a couple of hooks as part of our original brief security audit that are used as part of the (we assume) sysadmin module, but we want to investigate it further.
The second part is setting up a new mirror server and making sure it keeps up to date with the Schmooze servers. We have already written some sample code for this (it seems very simple), but making it happen automatically is going to be the hard part.
Luckily for us, git is very smart for these sort of things, and dev2 knows everything about it, and will be helping with those parts.
From there, we shall be being good open source community members, and sending our changes back as pull requests to Schmooze, to see if they take them! I'm sure that'll be funny to watch, if they refuse them.
One of the discussions we've had internally is what to do about module signing. This is another reason for us to be anonymous. We strongly agree that module signatures are a great idea. We strongly disagree with Sangoma being the only people who can sign keys to produce modules. So one of the things we'll be doing is making sure that multiple 'root' keys can be used. At the moment, only one key is hard-coded in there, which is the Sangoma key. One of our first pull requests will be to make that master key replaceable, and appendable.
This gets into the point that Sangoma are making, that they may be liable if someone does bad stuff with a signed key. That's not a problem for us, we don't care. We're anonymous! Who are you going to sue? Ghostbusters!
That was the end of the document we were all working on, and if you have any questions, please feel free to ask them here, on twitter (@phonebocx) or on the FreePBX Forums (we have a thread there - community.freepbx.org/t/36132/ that you may read).
We're all human, so if we do give out conflicting information, please forgive us, and make sure you ask for clarification.
Thanks!
The phonebo.cx team.